Skip to content

Commit

Permalink
Merge branch 'dev' into add-warning-when-dir-for-scan-doesnt-exist
Browse files Browse the repository at this point in the history
  • Loading branch information
@eranturgeman
eranturgeman authored May 23, 2024
2 parents 288e6a0 + 3bf5f3e commit 5160389
Show file tree
Hide file tree
Showing 35 changed files with 1,331 additions and 210 deletions.
2 changes: 1 addition & 1 deletion buildscripts/download-jars.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
# Once you have updated the versions mentioned below, please execute this script from the root directory of the jfrog-cli-core to ensure the JAR files are updated.
GRADLE_DEP_TREE_VERSION="3.0.2"
# Changing this version also requires a change in mavenDepTreeVersion within utils/java/mvn.go.
MAVEN_DEP_TREE_VERSION="1.1.0"
MAVEN_DEP_TREE_VERSION="1.1.1"

curl -fL https://releases.jfrog.io/artifactory/oss-release-local/com/jfrog/gradle-dep-tree/${GRADLE_DEP_TREE_VERSION}/gradle-dep-tree-${GRADLE_DEP_TREE_VERSION}.jar -o commands/audit/sca/java/resources/gradle-dep-tree.jar
curl -fL https://releases.jfrog.io/artifactory/oss-release-local/com/jfrog/maven-dep-tree/${MAVEN_DEP_TREE_VERSION}/maven-dep-tree-${MAVEN_DEP_TREE_VERSION}.jar -o commands/audit/sca/java/resources/maven-dep-tree.jar
3 changes: 2 additions & 1 deletion commands/audit/sca/common.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,8 @@ func SuspectCurationBlockedError(isCurationCmd bool, tech coreutils.Technology,
}
switch tech {
case coreutils.Maven:
if strings.Contains(cmdOutput, "status code: 403") || strings.Contains(cmdOutput, "status code: 500") {
if strings.Contains(cmdOutput, "status code: 403") || strings.Contains(strings.ToLower(cmdOutput), "403 forbidden") ||
strings.Contains(cmdOutput, "status code: 500") {
msgToUser = fmt.Sprintf(curationErrorMsgToUserTemplate, coreutils.Maven)
}
case coreutils.Pip:
Expand Down
17 changes: 8 additions & 9 deletions commands/audit/sca/common_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import (
"golang.org/x/exp/maps"

"github.com/jfrog/jfrog-cli-core/v2/utils/tests"
coreXray "github.com/jfrog/jfrog-cli-core/v2/utils/xray"
"github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-client-go/xray/services"
xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
Expand Down Expand Up @@ -61,13 +60,13 @@ func TestGetExcludePattern(t *testing.T) {
}

func TestBuildXrayDependencyTree(t *testing.T) {
treeHelper := make(map[string]coreXray.DepTreeNode)
rootDep := coreXray.DepTreeNode{Children: []string{"topDep1", "topDep2", "topDep3"}}
topDep1 := coreXray.DepTreeNode{Children: []string{"midDep1", "midDep2"}}
topDep2 := coreXray.DepTreeNode{Children: []string{"midDep2", "midDep3"}}
midDep1 := coreXray.DepTreeNode{Children: []string{"bottomDep1"}}
midDep2 := coreXray.DepTreeNode{Children: []string{"bottomDep2", "bottomDep3"}}
bottomDep3 := coreXray.DepTreeNode{Children: []string{"leafDep"}}
treeHelper := make(map[string]utils.DepTreeNode)
rootDep := utils.DepTreeNode{Children: []string{"topDep1", "topDep2", "topDep3"}}
topDep1 := utils.DepTreeNode{Children: []string{"midDep1", "midDep2"}}
topDep2 := utils.DepTreeNode{Children: []string{"midDep2", "midDep3"}}
midDep1 := utils.DepTreeNode{Children: []string{"bottomDep1"}}
midDep2 := utils.DepTreeNode{Children: []string{"bottomDep2", "bottomDep3"}}
bottomDep3 := utils.DepTreeNode{Children: []string{"leafDep"}}
treeHelper["rootDep"] = rootDep
treeHelper["topDep1"] = topDep1
treeHelper["topDep2"] = topDep2
Expand Down Expand Up @@ -116,7 +115,7 @@ func TestBuildXrayDependencyTree(t *testing.T) {
topDep2Node.Parent = rootNode
topDep3Node.Parent = rootNode

tree, uniqueDeps := coreXray.BuildXrayDependencyTree(treeHelper, "rootDep")
tree, uniqueDeps := utils.BuildXrayDependencyTree(treeHelper, "rootDep")

assert.ElementsMatch(t, expectedUniqueDeps, maps.Keys(uniqueDeps))
assert.True(t, tests.CompareTree(tree, rootNode))
Expand Down
25 changes: 13 additions & 12 deletions commands/audit/sca/java/deptreemanager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@ package java

import (
"encoding/json"
"github.com/jfrog/jfrog-cli-security/utils"
"os"
"strings"

"github.com/jfrog/jfrog-cli-core/v2/utils/config"
"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
"github.com/jfrog/jfrog-cli-core/v2/utils/xray"
"github.com/jfrog/jfrog-client-go/utils/errorutils"
xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
)
Expand All @@ -16,7 +16,7 @@ const (
GavPackageTypeIdentifier = "gav://"
)

func BuildDependencyTree(depTreeParams DepTreeParams, tech coreutils.Technology) ([]*xrayUtils.GraphNode, map[string][]string, error) {
func BuildDependencyTree(depTreeParams DepTreeParams, tech coreutils.Technology) ([]*xrayUtils.GraphNode, map[string]*utils.DepTreeNode, error) {
if tech == coreutils.Maven {
return buildMavenDependencyTree(&depTreeParams)
}
Expand Down Expand Up @@ -44,18 +44,18 @@ func NewDepTreeManager(params *DepTreeParams) DepTreeManager {

// The structure of a dependency tree of a module in a Gradle/Maven project, as created by the gradle-dep-tree and maven-dep-tree plugins.
type moduleDepTree struct {
Root string `json:"root"`
Nodes map[string]xray.DepTreeNode `json:"nodes"`
Root string `json:"root"`
Nodes map[string]utils.DepTreeNode `json:"nodes"`
}

// Reads the output files of the gradle-dep-tree and maven-dep-tree plugins and returns them as a slice of GraphNodes.
// It takes the output of the plugin's run (which is a byte representation of a list of paths of the output files, separated by newlines) as input.
func getGraphFromDepTree(outputFilePaths string) (depsGraph []*xrayUtils.GraphNode, uniqueDepsMap map[string][]string, err error) {
func getGraphFromDepTree(outputFilePaths string) (depsGraph []*xrayUtils.GraphNode, uniqueDepsMap map[string]*utils.DepTreeNode, err error) {
modules, err := parseDepTreeFiles(outputFilePaths)
if err != nil {
return
}
uniqueDepsMap = map[string][]string{}
uniqueDepsMap = map[string]*utils.DepTreeNode{}
for _, module := range modules {
moduleTree, moduleUniqueDeps := GetModuleTreeAndDependencies(module)
depsGraph = append(depsGraph, moduleTree)
Expand All @@ -67,8 +67,8 @@ func getGraphFromDepTree(outputFilePaths string) (depsGraph []*xrayUtils.GraphNo
}

// Returns a dependency tree and a flat list of the module's dependencies for the given module
func GetModuleTreeAndDependencies(module *moduleDepTree) (*xrayUtils.GraphNode, map[string][]string) {
moduleTreeMap := make(map[string]xray.DepTreeNode)
func GetModuleTreeAndDependencies(module *moduleDepTree) (*xrayUtils.GraphNode, map[string]*utils.DepTreeNode) {
moduleTreeMap := make(map[string]utils.DepTreeNode)
moduleDeps := module.Nodes
for depName, dependency := range moduleDeps {
dependencyId := GavPackageTypeIdentifier + depName
Expand All @@ -77,12 +77,13 @@ func GetModuleTreeAndDependencies(module *moduleDepTree) (*xrayUtils.GraphNode,
childId := GavPackageTypeIdentifier + childName
childrenList = append(childrenList, childId)
}
moduleTreeMap[dependencyId] = xray.DepTreeNode{
Types: dependency.Types,
Children: childrenList,
moduleTreeMap[dependencyId] = utils.DepTreeNode{
Classifier: dependency.Classifier,
Types: dependency.Types,
Children: childrenList,
}
}
return xray.BuildXrayDependencyTree(moduleTreeMap, GavPackageTypeIdentifier+module.Root)
return utils.BuildXrayDependencyTree(moduleTreeMap, GavPackageTypeIdentifier+module.Root)
}

func parseDepTreeFiles(jsonFilePaths string) ([]*moduleDepTree, error) {
Expand Down
3 changes: 2 additions & 1 deletion commands/audit/sca/java/gradle.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
_ "embed"
"errors"
"fmt"
"github.com/jfrog/jfrog-cli-security/utils"
"os"
"os/exec"
"path/filepath"
Expand Down Expand Up @@ -56,7 +57,7 @@ type gradleDepTreeManager struct {
DepTreeManager
}

func buildGradleDependencyTree(params *DepTreeParams) (dependencyTree []*xrayUtils.GraphNode, uniqueDeps map[string][]string, err error) {
func buildGradleDependencyTree(params *DepTreeParams) (dependencyTree []*xrayUtils.GraphNode, uniqueDeps map[string]*utils.DepTreeNode, err error) {
manager := &gradleDepTreeManager{DepTreeManager: NewDepTreeManager(params)}
outputFileContent, err := manager.runGradleDepTree()
if err != nil {
Expand Down
5 changes: 3 additions & 2 deletions commands/audit/sca/java/mvn.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"fmt"
"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
"github.com/jfrog/jfrog-cli-security/commands/audit/sca"
"github.com/jfrog/jfrog-cli-security/utils"
"net/url"
"os"
"os/exec"
Expand All @@ -24,7 +25,7 @@ const (
mavenDepTreeJarFile = "maven-dep-tree.jar"
mavenDepTreeOutputFile = "mavendeptree.out"
// Changing this version also requires a change in MAVEN_DEP_TREE_VERSION within buildscripts/download_jars.sh
mavenDepTreeVersion = "1.1.0"
mavenDepTreeVersion = "1.1.1"
settingsXmlFile = "settings.xml"
)

Expand Down Expand Up @@ -68,7 +69,7 @@ func NewMavenDepTreeManager(params *DepTreeParams, cmdName MavenDepTreeCmd) *Mav
}
}

func buildMavenDependencyTree(params *DepTreeParams) (dependencyTree []*xrayUtils.GraphNode, uniqueDeps map[string][]string, err error) {
func buildMavenDependencyTree(params *DepTreeParams) (dependencyTree []*xrayUtils.GraphNode, uniqueDeps map[string]*utils.DepTreeNode, err error) {
manager := NewMavenDepTreeManager(params, Tree)
outputFilePaths, clearMavenDepTreeRun, err := manager.RunMavenDepTree()
if err != nil {
Expand Down
16 changes: 12 additions & 4 deletions commands/audit/sca/java/mvn_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ func TestMavenTreesMultiModule(t *testing.T) {

expectedUniqueDeps := []string{
GavPackageTypeIdentifier + "javax.mail:mail:1.4",
GavPackageTypeIdentifier + "org.testng:testng:5.9",
GavPackageTypeIdentifier + "org.testng:testng:5.9-jdk15",
GavPackageTypeIdentifier + "javax.servlet:servlet-api:2.5",
GavPackageTypeIdentifier + "org.jfrog.test:multi:3.7-SNAPSHOT",
GavPackageTypeIdentifier + "org.jfrog.test:multi3:3.7-SNAPSHOT",
Expand Down Expand Up @@ -157,7 +157,7 @@ func TestMavenWrapperTrees(t *testing.T) {
GavPackageTypeIdentifier + "org.springframework:spring-core:2.5.6",
GavPackageTypeIdentifier + "org.jfrog.test:multi:3.7-SNAPSHOT",
GavPackageTypeIdentifier + "org.jfrog.test:multi2:3.7-SNAPSHOT",
GavPackageTypeIdentifier + "org.testng:testng:5.9",
GavPackageTypeIdentifier + "org.testng:testng:5.9-jdk15",
GavPackageTypeIdentifier + "hsqldb:hsqldb:1.8.0.10",
GavPackageTypeIdentifier + "junit:junit:3.8.1",
GavPackageTypeIdentifier + "javax.activation:activation:1.1",
Expand Down Expand Up @@ -198,7 +198,8 @@ func TestMavenWrapperTreesTypes(t *testing.T) {
// dependency of pom type
depWithPomType := uniqueDeps["gav://org.webjars:lodash:4.17.21"]
assert.NotEmpty(t, depWithPomType)
assert.Equal(t, depWithPomType[0], "pom")
types := *depWithPomType.Types
assert.Equal(t, types[0], "pom")
existInTreePom := false
for _, node := range tree[0].Nodes {
if node.Id == "gav://org.webjars:lodash:4.17.21" {
Expand All @@ -212,7 +213,8 @@ func TestMavenWrapperTreesTypes(t *testing.T) {
// dependency of jar type
depWithJarType := uniqueDeps["gav://junit:junit:4.11"]
assert.NotEmpty(t, depWithJarType)
assert.Equal(t, depWithJarType[0], "jar")
types = *depWithJarType.Types
assert.Equal(t, types[0], "jar")
existInTreeJar := false
for _, node := range tree[0].Nodes {
if node.Id == "gav://junit:junit:4.11" {
Expand All @@ -221,6 +223,12 @@ func TestMavenWrapperTreesTypes(t *testing.T) {
existInTreeJar = true
}
}
// dependency with classifier
depWithJarClassifier1 := uniqueDeps["gav://commons-io:commons-io:1.2-flavor1"]
assert.NotEmpty(t, depWithJarClassifier1)
depWithJarClassifier2 := uniqueDeps["gav://commons-io:commons-io:1.2-flavor2"]
assert.NotEmpty(t, depWithJarClassifier2)

assert.True(t, existInTreeJar)
}

Expand Down
Binary file modified commands/audit/sca/java/resources/maven-dep-tree.jar
View file
Binary file not shown.
5 changes: 2 additions & 3 deletions commands/audit/sca/npm/npm.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
buildinfo "github.com/jfrog/build-info-go/entities"
"github.com/jfrog/jfrog-cli-core/v2/artifactory/commands/npm"
"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
coreXray "github.com/jfrog/jfrog-cli-core/v2/utils/xray"
"github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-client-go/utils/log"
xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
Expand Down Expand Up @@ -105,7 +104,7 @@ func addIgnoreScriptsFlag(npmArgs []string) []string {

// Parse the dependencies into an Xray dependency tree format
func parseNpmDependenciesList(dependencies []buildinfo.Dependency, packageInfo *biutils.PackageInfo) (*xrayUtils.GraphNode, []string) {
treeMap := make(map[string]coreXray.DepTreeNode)
treeMap := make(map[string]utils.DepTreeNode)
for _, dependency := range dependencies {
dependencyId := utils.NpmPackageTypeIdentifier + dependency.Id
for _, requestedByNode := range dependency.RequestedBy {
Expand All @@ -119,7 +118,7 @@ func parseNpmDependenciesList(dependencies []buildinfo.Dependency, packageInfo *
treeMap[parent] = depTreeNode
}
}
graph, nodeMapTypes := coreXray.BuildXrayDependencyTree(treeMap, utils.NpmPackageTypeIdentifier+packageInfo.BuildInfoModuleId())
graph, nodeMapTypes := utils.BuildXrayDependencyTree(treeMap, utils.NpmPackageTypeIdentifier+packageInfo.BuildInfoModuleId())
return graph, maps.Keys(nodeMapTypes)
}

Expand Down
5 changes: 2 additions & 3 deletions commands/audit/sca/nuget/nuget.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ import (
"github.com/jfrog/gofrog/datastructures"
"github.com/jfrog/jfrog-cli-core/v2/artifactory/commands/dotnet"
"github.com/jfrog/jfrog-cli-core/v2/utils/config"
coreXray "github.com/jfrog/jfrog-cli-core/v2/utils/xray"
"github.com/jfrog/jfrog-cli-security/commands/audit/sca"
"github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-client-go/utils/errorutils"
Expand Down Expand Up @@ -219,7 +218,7 @@ func runDotnetRestore(wd string, params utils.AuditParams, toolType bidotnet.Too
func parseNugetDependencyTree(buildInfo *entities.BuildInfo) (nodes []*xrayUtils.GraphNode, allUniqueDeps []string) {
uniqueDepsSet := datastructures.MakeSet[string]()
for _, module := range buildInfo.Modules {
treeMap := make(map[string]coreXray.DepTreeNode)
treeMap := make(map[string]utils.DepTreeNode)
for _, dependency := range module.Dependencies {
dependencyId := nugetPackageTypeIdentifier + dependency.Id
parent := nugetPackageTypeIdentifier + dependency.RequestedBy[0][0]
Expand All @@ -231,7 +230,7 @@ func parseNugetDependencyTree(buildInfo *entities.BuildInfo) (nodes []*xrayUtils
}
treeMap[parent] = depTreeNode
}
dependencyTree, uniqueDeps := coreXray.BuildXrayDependencyTree(treeMap, nugetPackageTypeIdentifier+module.Id)
dependencyTree, uniqueDeps := utils.BuildXrayDependencyTree(treeMap, nugetPackageTypeIdentifier+module.Id)
nodes = append(nodes, dependencyTree)
for _, uniqueDep := range maps.Keys(uniqueDeps) {
uniqueDepsSet.Add(uniqueDep)
Expand Down
13 changes: 6 additions & 7 deletions commands/audit/sca/pnpm/pnpm.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"github.com/jfrog/jfrog-client-go/utils/log"

biutils "github.com/jfrog/build-info-go/utils"
coreXray "github.com/jfrog/jfrog-cli-core/v2/utils/xray"
xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
)

Expand Down Expand Up @@ -143,7 +142,7 @@ func parsePnpmLSContent(projectInfo []pnpmLsProject) (dependencyTrees []*xrayUti
uniqueDepsSet := datastructures.MakeSet[string]()
for _, project := range projectInfo {
// Parse the dependencies into Xray dependency tree format
dependencyTree, uniqueProjectDeps := coreXray.BuildXrayDependencyTree(createProjectDependenciesTree(project), getDependencyId(project.Name, project.Version))
dependencyTree, uniqueProjectDeps := utils.BuildXrayDependencyTree(createProjectDependenciesTree(project), getDependencyId(project.Name, project.Version))
// Add results
dependencyTrees = append(dependencyTrees, dependencyTree)
uniqueDepsSet.AddElements(maps.Keys(uniqueProjectDeps)...)
Expand All @@ -152,8 +151,8 @@ func parsePnpmLSContent(projectInfo []pnpmLsProject) (dependencyTrees []*xrayUti
return
}

func createProjectDependenciesTree(project pnpmLsProject) map[string]coreXray.DepTreeNode {
treeMap := make(map[string]coreXray.DepTreeNode)
func createProjectDependenciesTree(project pnpmLsProject) map[string]utils.DepTreeNode {
treeMap := make(map[string]utils.DepTreeNode)
directDependencies := []string{}
// Handle production-dependencies
for depName, dependency := range project.Dependencies {
Expand All @@ -168,7 +167,7 @@ func createProjectDependenciesTree(project pnpmLsProject) map[string]coreXray.De
appendTransitiveDependencies(directDependency, dependency.Dependencies, treeMap)
}
if len(directDependencies) > 0 {
treeMap[getDependencyId(project.Name, project.Version)] = coreXray.DepTreeNode{Children: directDependencies}
treeMap[getDependencyId(project.Name, project.Version)] = utils.DepTreeNode{Children: directDependencies}
}
return treeMap
}
Expand All @@ -178,13 +177,13 @@ func getDependencyId(depName, version string) string {
return utils.NpmPackageTypeIdentifier + depName + ":" + version
}

func appendTransitiveDependencies(parent string, dependencies map[string]pnpmLsDependency, result map[string]coreXray.DepTreeNode) {
func appendTransitiveDependencies(parent string, dependencies map[string]pnpmLsDependency, result map[string]utils.DepTreeNode) {
for depName, dependency := range dependencies {
dependencyId := getDependencyId(depName, dependency.Version)
if node, ok := result[parent]; ok {
node.Children = appendUniqueChild(node.Children, dependencyId)
} else {
result[parent] = coreXray.DepTreeNode{Children: []string{dependencyId}}
result[parent] = utils.DepTreeNode{Children: []string{dependencyId}}
}
appendTransitiveDependencies(dependencyId, dependency.Dependencies, result)
}
Expand Down
7 changes: 3 additions & 4 deletions commands/audit/sca/yarn/yarn.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ import (
"github.com/jfrog/jfrog-cli-core/v2/utils/config"
"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
"github.com/jfrog/jfrog-cli-core/v2/utils/ioutils"
coreXray "github.com/jfrog/jfrog-cli-core/v2/utils/xray"
"github.com/jfrog/jfrog-cli-security/utils"
"github.com/jfrog/jfrog-client-go/utils/errorutils"
"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
Expand Down Expand Up @@ -200,18 +199,18 @@ func runYarnInstallAccordingToVersion(curWd, yarnExecPath string, installCommand

// Parse the dependencies into a Xray dependency tree format
func parseYarnDependenciesMap(dependencies map[string]*biutils.YarnDependency, rootXrayId string) (*xrayUtils.GraphNode, []string) {
treeMap := make(map[string]coreXray.DepTreeNode)
treeMap := make(map[string]utils.DepTreeNode)
for _, dependency := range dependencies {
xrayDepId := getXrayDependencyId(dependency)
var subDeps []string
for _, subDepPtr := range dependency.Details.Dependencies {
subDeps = append(subDeps, getXrayDependencyId(dependencies[biutils.GetYarnDependencyKeyFromLocator(subDepPtr.Locator)]))
}
if len(subDeps) > 0 {
treeMap[xrayDepId] = coreXray.DepTreeNode{Children: subDeps}
treeMap[xrayDepId] = utils.DepTreeNode{Children: subDeps}
}
}
graph, uniqDeps := coreXray.BuildXrayDependencyTree(treeMap, rootXrayId)
graph, uniqDeps := utils.BuildXrayDependencyTree(treeMap, rootXrayId)
return graph, maps.Keys(uniqDeps)
}

Expand Down
Loading

0 comments on commit 5160389

Please sign in to comment.